Permalink
Commits on Jan 28, 2013
  1. bumping to 3.0.20

    tenderlove committed Jan 28, 2013
  2. Add an OkJson backend and remove the YAML backend

    NZKoz committed with tenderlove Jan 23, 2013
    Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
Commits on Jan 27, 2013
  1. Fix failing test related to escaping include_blank in select_tag

    carlosantoniodasilva committed Jan 27, 2013
    Rails 3.0.x doesn't have the :prompt option in select_tag, it was
    introduced in c5d54be that is only
    available from 3.1.x on.
    
    The test and related fix were introduced in
    c979587 for Rails 3.0.17, as a fix for
    a security vulnerability. The code is completely fine but the test was
    using the invalid :prompt option for this version, probably because it
    was cherry-picked from other branch which has the option.
Commits on Jan 26, 2013
  1. Remove obsolete rake/rdoctask require

    carlosantoniodasilva committed Jan 26, 2013
    Requiring this now raises a RuntimeError, failing the test.
    It also seems that the require is unnecessary to pass the test.
  2. Update failing tests overriding destroy method instead of using mocha…

    carlosantoniodasilva committed Jan 26, 2013
    … expectation
    
    Mocha by default does not allow adding expectation to frozen objects,
    just applying a workaround to ensure the method is never called, making
    the tests pass without enabling this again in mocha.
Commits on Jan 16, 2013
  1. Merge pull request #8872 from freerange/3-0-stable-with-mocha-fixes

    rafaelfranca committed Jan 16, 2013
    Fix 3-0-stable to work with Mocha >= v0.13.0
  2. Fix 3-0-stable to work with Mocha >= v0.13.0

    floehopper committed Aug 26, 2012
    A) Update code in ActiveSupport which monkey-patches Test::Unit to
    include Mocha bug fix.
    
    A bug was fixed [1] in Mocha's integration with Test::Unit, but this
    monkey-patching code was copied before the fix. We need to copy the
    fixed version.
    
    The bug meant that an unexpected invocation against a mock within the
    teardown method caused a test *error* and not a test *failure*.
    
    B) Fix for Test::Unit/Mocha compatibility.
    
    Mocha is now using a single AssertionCounter which needs a reference to
    the testcase as opposed to the result.
    
    This change is an unfortunate consequence of the copying of a chunk of
    Mocha's internal code in order to monkey-patch Test::Unit.
    
    C) Avoid a Mocha deprecation warning.
    
    [1]
    freerange/mocha@f1ff647#diff-5
    commit 0591f6d 1 parent 8b3109a
Commits on Jan 12, 2013
Commits on Jan 11, 2013
  1. Merge pull request #8890 from dylanahsmith/3-0-parse-non-object-json-…

    jeremy committed Jan 11, 2013
    …params
    
    3-0-stable: Fix JSON params parsing regression for non-object JSON content.
Commits on Jan 10, 2013
Commits on Jan 9, 2013
  1. Merge pull request #8853 from zmoazeni/3-0-xml-serialization-fix

    carlosantoniodasilva committed Jan 9, 2013
    Methods that return nil should not be considered YAML
  2. Methods that return nil should not be considered YAML

    zmoazeni committed Jan 9, 2013
    This is a direct port of @jaw6's pull request
    #492. His cleanly applied to Rails
    v3.1 and v3.2, and this cleanly applies to v3.0.
    
    With yesterday's security patches
    http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
    there is now an issue with Rails v3.0 serving XML to any of the latest
    versions of ActiveResource.
    
    Without this, Rails v3.0 can serve XML to ActiveResource consumers that
    will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
  3. Merge pull request #8836 from sikachu/3-0-stable-fix-ars

    carlosantoniodasilva committed Jan 9, 2013
    Remove test for XML YAML parsing
  4. Remove test for XML YAML parsing

    sikachu committed Jan 9, 2013
    The support for YAML parsing in XML has been removed from Active Support
    since it introduced an security risk. See a494824 for more detail.
Commits on Jan 8, 2013
  1. bumping version

    tenderlove committed Jan 8, 2013
  2. * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    tenderlove committed Jan 4, 2013
    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    	activerecord/lib/active_record/relation/predicate_builder.rb
Commits on Dec 23, 2012
  1. bumping to 3.0.18

    tenderlove committed Dec 23, 2012
  2. updating changelogs

    tenderlove committed Dec 23, 2012
Commits on Aug 28, 2012
Commits on Aug 9, 2012
  1. Merge pull request #7308 from amerine/3-0-stable

    spastorino committed Aug 9, 2012
    Add html_escape note to CHANGELOG
  2. Bump to 3.0.17

    spastorino committed Aug 9, 2012
  3. Add CHANGELOG entries

    spastorino committed Aug 9, 2012
  4. Do not mark strip_tags result as html_safe

    spastorino committed Aug 8, 2012
    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
  5. escape select_tag :prompt values

    spastorino committed Aug 8, 2012
    CVE-2012-3463
Commits on Aug 8, 2012
  1. html_escape should escape single quotes

    spastorino committed with tenderlove Aug 1, 2012
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb